[
https://issues.apache.org/jira/browse/HADOOP-9421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13687233#comment-13687233
]
Daryn Sharp commented on HADOOP-9421:
-------------------------------------
Per Sanjay's request, here's a quick summary:
This patch does not direct address deficiencies in negotiation process. It
merely provides the flexibility to fix them in the near future. The basic
changes are:
* SASL protobufs
* SASL protobufs wrapped with RPC header
* Server advertised SASL auth methods - currently ignored by client
Wrapping SASL negotiation in a RPC header avoids decoding errors. Ex. A secure
client currently tries to decode a RPC exception from an incompatible
connection header as a SASL message. The client also can't handle a RPC
exception mid-stream during SASL negotiation. The RPC header allows the server
and client to correctly decode the payload.
Using the RPC headers, with the addition of a streamId, will also allow the
_future potential_ to multiplex multiple UGIs over the same connection.
Services like the NN can be overwhelmed by a stampede of connections. The NM
may be an ideal candidate for aggregation of connections, or even a per-node
multiplexor for tasks.
Server advertisement of auth methods aims to address the current limitation of
allowing 1 pre-determined auth or simple. Additional consideration is needed
for a client-side whitelist to avoid server unexpectedly requesting weak
authentication. In the current patch, the client ignores the server and
blindly attempts the negotiation as it does today.
+Other future features unlocked by this design+
* Brings us much closer to pluggable auth methods w/o changing server and
client code
* Client may select a server advertised auth method to:
*# Support services and/or clusters with heterogenous auth methods (ex.
thinking of knox, rhino, etc)
*# *Critical to Y!*: IP failover, especially for HA with kerberos. The client
needs the active NN's host to acquire a service ticket
*# Simplify token selection by using an opaque identifier supplied by the
server - will eliminate use_ip, and even the complex HA token logic
*# Support accessing multi-interface hosts on all interfaces
*# Support accessing services via any of their hostnames, ips, or CNAMEs
* Ability to greatly reduce complexity of client/server auth code, and cleanly
decouple SASL logic
* As mentioned before, multiplexing of different UGIs over a shared connection
> Convert SASL to use ProtoBuf and add lengths for non-blocking processing
> ------------------------------------------------------------------------
>
> Key: HADOOP-9421
> URL: https://issues.apache.org/jira/browse/HADOOP-9421
> Project: Hadoop Common
> Issue Type: Sub-task
> Affects Versions: 2.0.3-alpha
> Reporter: Sanjay Radia
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-9421.patch, HADOOP-9421.patch, HADOOP-9421.patch,
> HADOOP-9421.patch, HADOOP-9421-v2-demo.patch
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
